Gitiles
Code Review Sign In
192.168.1.100 / T108 / 50f43abd51b98a89a2ec2d51cd2725a28869fae6 / . / marvell / linux / net / bridge / br_input.c
blob: 987fd26d799ef06599657b169ecfe288cc8999ce [file] [log] [blame]
b.liue9582032025-04-17 19:18:16 +0800[diff] [blame]1// SPDX-License-Identifier: GPL-2.0-or-later
2/*
3 * Handle incoming frames
4 * Linux ethernet bridge
5 *
6 * Authors:
7 * Lennert Buytenhek <buytenh@gnu.org>
8 */
9
10#include <linux/slab.h>
11#include <linux/kernel.h>
12#include <linux/netdevice.h>
13#include <linux/etherdevice.h>
14#include <linux/netfilter_bridge.h>
15#ifdef CONFIG_NETFILTER_FAMILY_BRIDGE
16#include <net/netfilter/nf_queue.h>
17#endif
18#include <linux/neighbour.h>
19#include <net/arp.h>
20#include <linux/export.h>
21#include <linux/rculist.h>
22#include "br_private.h"
23#include "br_private_tunnel.h"
24#include "br_private_offload.h"
25
26static int
27br_netif_receive_skb(struct net *net, struct sock *sk, struct sk_buff *skb)
28{
29 br_drop_fake_rtable(skb);
30 return netif_receive_skb(skb);
31}
32
33static int br_pass_frame_up(struct sk_buff *skb)
34{
35 struct net_device *indev, *brdev = BR_INPUT_SKB_CB(skb)->brdev;
36 struct net_bridge *br = netdev_priv(brdev);
37 struct net_bridge_vlan_group *vg;
38 struct pcpu_sw_netstats *brstats = this_cpu_ptr(br->stats);
39
40 u64_stats_update_begin(&brstats->syncp);
41 brstats->rx_packets++;
42 brstats->rx_bytes += skb->len;
43 u64_stats_update_end(&brstats->syncp);
44
45 vg = br_vlan_group_rcu(br);
46
47 /* Reset the offload_fwd_mark because there could be a stacked
48 * bridge above, and it should not think this bridge it doing
49 * that bridge's work forwarding out its ports.
50 */
51 br_switchdev_frame_unmark(skb);
52
53 /* Bridge is just like any other port. Make sure the
54 * packet is allowed except in promisc modue when someone
55 * may be running packet capture.
56 */
57 if (!(brdev->flags & IFF_PROMISC) &&
58 !br_allowed_egress(vg, skb)) {
59 kfree_skb(skb);
60 return NET_RX_DROP;
61 }
62
63 indev = skb->dev;
64 skb->dev = brdev;
65 skb = br_handle_vlan(br, NULL, vg, skb);
66 if (!skb)
67 return NET_RX_DROP;
68 /* update the multicast stats if the packet is IGMP/MLD */
69 br_multicast_count(br, NULL, skb, br_multicast_igmp_type(skb),
70 BR_MCAST_DIR_TX);
71
72 return NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN,
73 dev_net(indev), NULL, skb, indev, NULL,
74 br_netif_receive_skb);
75}
76
77/* note: already called with rcu_read_lock */
78int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
79{
80 struct net_bridge_port *p = br_port_get_rcu(skb->dev);
81 enum br_pkt_type pkt_type = BR_PKT_UNICAST;
82 struct net_bridge_fdb_entry *dst = NULL;
83 struct net_bridge_mdb_entry *mdst;
84 bool local_rcv, mcast_hit = false;
85 struct net_bridge *br;
86 u16 vid = 0;
87
88 if (!p || p->state == BR_STATE_DISABLED)
89 goto drop;
90
91 if (!br_allowed_ingress(p->br, nbp_vlan_group_rcu(p), skb, &vid))
92 goto out;
93
94 nbp_switchdev_frame_mark(p, skb);
95
96 /* insert into forwarding database after filtering to avoid spoofing */
97 br = p->br;
98 if (p->flags & BR_LEARNING)
99 br_fdb_update(br, p, eth_hdr(skb)->h_source, vid, false);
100
101 local_rcv = !!(br->dev->flags & IFF_PROMISC);
102 if (is_multicast_ether_addr(eth_hdr(skb)->h_dest)) {
103 /* by definition the broadcast is also a multicast address */
104 if (is_broadcast_ether_addr(eth_hdr(skb)->h_dest)) {
105 pkt_type = BR_PKT_BROADCAST;
106 local_rcv = true;
107 } else {
108 pkt_type = BR_PKT_MULTICAST;
109 if (br_multicast_rcv(br, p, skb, vid))
110 goto drop;
111 }
112 }
113
114 BR_INPUT_SKB_CB(skb)->brdev = br->dev;
115
116 if (skb->protocol == htons(ETH_P_PAE) && !br->disable_eap_hack)
117 return br_pass_frame_up(skb);
118
119 if (p->state == BR_STATE_LEARNING)
120 goto drop;
121
122 BR_INPUT_SKB_CB(skb)->src_port_isolated = !!(p->flags & BR_ISOLATED);
123
124 if (IS_ENABLED(CONFIG_INET) &&
125 (skb->protocol == htons(ETH_P_ARP) ||
126 skb->protocol == htons(ETH_P_RARP))) {
127 br_do_proxy_suppress_arp(skb, br, vid, p);
128 } else if (IS_ENABLED(CONFIG_IPV6) &&
129 skb->protocol == htons(ETH_P_IPV6) &&
130 br_opt_get(br, BROPT_NEIGH_SUPPRESS_ENABLED) &&
131 pskb_may_pull(skb, sizeof(struct ipv6hdr) +
132 sizeof(struct nd_msg)) &&
133 ipv6_hdr(skb)->nexthdr == IPPROTO_ICMPV6) {
134 struct nd_msg *msg, _msg;
135
136 msg = br_is_nd_neigh_msg(skb, &_msg);
137 if (msg)
138 br_do_suppress_nd(skb, br, vid, p, msg);
139 }
140
141 switch (pkt_type) {
142 case BR_PKT_MULTICAST:
143 mdst = br_mdb_get(br, skb, vid);
144 if ((mdst || BR_INPUT_SKB_CB_MROUTERS_ONLY(skb)) &&
145 br_multicast_querier_exists(br, eth_hdr(skb))) {
146 if ((mdst && mdst->host_joined) ||
147 br_multicast_is_router(br)) {
148 local_rcv = true;
149 DEV_STATS_INC(br->dev, multicast);
150 }
151 mcast_hit = true;
152 } else {
153 local_rcv = true;
154 DEV_STATS_INC(br->dev, multicast);
155 }
156 break;
157 case BR_PKT_UNICAST:
158 dst = br_fdb_find_rcu(br, eth_hdr(skb)->h_dest, vid);
159 default:
160 break;
161 }
162
163 if (dst) {
164 unsigned long now = jiffies;
165
166 if (test_bit(BR_FDB_LOCAL, &dst->flags))
167 return br_pass_frame_up(skb);
168
169 if (now != dst->used)
170 dst->used = now;
171 br_forward(dst->dst, skb, local_rcv, false);
172 } else {
173 br_offload_skb_disable(skb);
174 if (!mcast_hit)
175 br_flood(br, skb, pkt_type, local_rcv, false);
176 else
177 br_multicast_flood(mdst, skb, local_rcv, false);
178 }
179
180 if (local_rcv)
181 return br_pass_frame_up(skb);
182
183out:
184 return 0;
185drop:
186 kfree_skb(skb);
187 goto out;
188}
189EXPORT_SYMBOL_GPL(br_handle_frame_finish);
190
191static void __br_handle_local_finish(struct sk_buff *skb)
192{
193 struct net_bridge_port *p = br_port_get_rcu(skb->dev);
194 u16 vid = 0;
195
196 /* check if vlan is allowed, to avoid spoofing */
197 if ((p->flags & BR_LEARNING) &&
198 !br_opt_get(p->br, BROPT_NO_LL_LEARN) &&
199 br_should_learn(p, skb, &vid))
200 br_fdb_update(p->br, p, eth_hdr(skb)->h_source, vid, false);
201}
202
203/* note: already called with rcu_read_lock */
204static int br_handle_local_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
205{
206 struct net_bridge_port *p = br_port_get_rcu(skb->dev);
207
208 if (p->state != BR_STATE_DISABLED)
209 __br_handle_local_finish(skb);
210
211 /* return 1 to signal the okfn() was called so it's ok to use the skb */
212 return 1;
213}
214
215static int nf_hook_bridge_pre(struct sk_buff *skb, struct sk_buff **pskb)
216{
217#ifdef CONFIG_NETFILTER_FAMILY_BRIDGE
218 struct nf_hook_entries *e = NULL;
219 struct nf_hook_state state;
220 unsigned int verdict, i;
221 struct net *net;
222 int ret;
223
224 net = dev_net(skb->dev);
225#ifdef HAVE_JUMP_LABEL
226 if (!static_key_false(&nf_hooks_needed[NFPROTO_BRIDGE][NF_BR_PRE_ROUTING]))
227 goto frame_finish;
228#endif
229
230 e = rcu_dereference(net->nf.hooks_bridge[NF_BR_PRE_ROUTING]);
231 if (!e)
232 goto frame_finish;
233
234 nf_hook_state_init(&state, NF_BR_PRE_ROUTING,
235 NFPROTO_BRIDGE, skb->dev, NULL, NULL,
236 net, br_handle_frame_finish);
237
238 for (i = 0; i < e->num_hook_entries; i++) {
239 verdict = nf_hook_entry_hookfn(&e->hooks[i], skb, &state);
240 switch (verdict & NF_VERDICT_MASK) {
241 case NF_ACCEPT:
242 if (BR_INPUT_SKB_CB(skb)->br_netfilter_broute) {
243 *pskb = skb;
244 return RX_HANDLER_PASS;
245 }
246 break;
247 case NF_DROP:
248 kfree_skb(skb);
249 return RX_HANDLER_CONSUMED;
250 case NF_QUEUE:
251 ret = nf_queue(skb, &state, i, verdict);
252 if (ret == 1)
253 continue;
254 return RX_HANDLER_CONSUMED;
255 default: /* STOLEN */
256 return RX_HANDLER_CONSUMED;
257 }
258 }
259frame_finish:
260 net = dev_net(skb->dev);
261 br_handle_frame_finish(net, NULL, skb);
262#else
263 br_handle_frame_finish(dev_net(skb->dev), NULL, skb);
264#endif
265 return RX_HANDLER_CONSUMED;
266}
267
268/*
269 * Return NULL if skb is handled
270 * note: already called with rcu_read_lock
271 */
272rx_handler_result_t br_handle_frame(struct sk_buff **pskb)
273{
274 struct net_bridge_port *p;
275 struct sk_buff *skb = *pskb;
276 const unsigned char *dest = eth_hdr(skb)->h_dest;
277
278 if (unlikely(skb->pkt_type == PACKET_LOOPBACK))
279 return RX_HANDLER_PASS;
280
281 if (!is_valid_ether_addr(eth_hdr(skb)->h_source))
282 goto drop;
283
284 skb = skb_share_check(skb, GFP_ATOMIC);
285 if (!skb)
286 return RX_HANDLER_CONSUMED;
287
288 memset(skb->cb, 0, sizeof(struct br_input_skb_cb));
289
290 p = br_port_get_rcu(skb->dev);
291 if (p == NULL)
292 goto drop;
293
294 if (br_offload_input(p, skb))
295 return RX_HANDLER_CONSUMED;
296
297 if (p->flags & BR_VLAN_TUNNEL) {
298 if (br_handle_ingress_vlan_tunnel(skb, p,
299 nbp_vlan_group_rcu(p)))
300 goto drop;
301 }
302
303 if (unlikely(is_link_local_ether_addr(dest))) {
304 u16 fwd_mask = p->br->group_fwd_mask_required;
305
306 /*
307 * See IEEE 802.1D Table 7-10 Reserved addresses
308 *
309 * Assignment Value
310 * Bridge Group Address 01-80-C2-00-00-00
311 * (MAC Control) 802.3 01-80-C2-00-00-01
312 * (Link Aggregation) 802.3 01-80-C2-00-00-02
313 * 802.1X PAE address 01-80-C2-00-00-03
314 *
315 * 802.1AB LLDP 01-80-C2-00-00-0E
316 *
317 * Others reserved for future standardization
318 */
319 fwd_mask |= p->group_fwd_mask;
320 switch (dest[5]) {
321 case 0x00: /* Bridge Group Address */
322 /* If STP is turned off,
323 then must forward to keep loop detection */
324 if (p->br->stp_enabled == BR_NO_STP ||
325 fwd_mask & (1u << dest[5]))
326 goto forward;
327 *pskb = skb;
328 __br_handle_local_finish(skb);
329 return RX_HANDLER_PASS;
330
331 case 0x01: /* IEEE MAC (Pause) */
332 goto drop;
333
334 case 0x0E: /* 802.1AB LLDP */
335 fwd_mask |= p->br->group_fwd_mask;
336 if (fwd_mask & (1u << dest[5]))
337 goto forward;
338 *pskb = skb;
339 __br_handle_local_finish(skb);
340 return RX_HANDLER_PASS;
341
342 default:
343 /* Allow selective forwarding for most other protocols */
344 fwd_mask |= p->br->group_fwd_mask;
345 if (fwd_mask & (1u << dest[5]))
346 goto forward;
347 }
348
349 /* The else clause should be hit when nf_hook():
350 * - returns < 0 (drop/error)
351 * - returns = 0 (stolen/nf_queue)
352 * Thus return 1 from the okfn() to signal the skb is ok to pass
353 */
354 if (NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN,
355 dev_net(skb->dev), NULL, skb, skb->dev, NULL,
356 br_handle_local_finish) == 1) {
357 return RX_HANDLER_PASS;
358 } else {
359 return RX_HANDLER_CONSUMED;
360 }
361 }
362
363forward:
364 switch (p->state) {
365 case BR_STATE_DISABLED:
366 if (ether_addr_equal(p->br->dev->dev_addr, dest))
367 skb->pkt_type = PACKET_HOST;
368
369 if (NF_HOOK(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING,
370 dev_net(skb->dev), NULL, skb, skb->dev, NULL,
371 br_handle_local_finish) == 1) {
372 return RX_HANDLER_PASS;
373 }
374 break;
375
376 case BR_STATE_FORWARDING:
377 case BR_STATE_LEARNING:
378 if (ether_addr_equal(p->br->dev->dev_addr, dest))
379 skb->pkt_type = PACKET_HOST;
380
381 return nf_hook_bridge_pre(skb, pskb);
382 default:
383drop:
384 kfree_skb(skb);
385 }
386 return RX_HANDLER_CONSUMED;
387}